The private sector is starting to awaken to the fact that we are in the hackers’ crosshairs as the cyberwar rages. Several private initiatives led by the insurance industry are looking to develop a coordinated policy with government entities, data to inform action, and best practices for companies.
But is it fast enough?
In Part 1 of this series on the new cyberwar, Awakening a Sleeping Giant, we discussed the recent, dramatic changes in cyber insurance and how the private sector is collectively reacting to ransomware.
We noted that criminal enterprises supported by nations have greatly increased attacks on commercial companies and other non-governmental organizations. The SolarWinds hack, the Colonial Pipeline and JBS attacks, and the Microsoft Exchange hack are just the beginning. Despite stern warnings, the Chinese, Russians, Iranians, North Koreans, and others do not seem to be deterred.
In this Part 2, we will discuss the ways – constructive and not – that state and federal governments are starting to address the tricky political and commercial problem of nations and state-sponsored companies attacking private enterprise. In Part 3, we will address the current best practices approach to prevent and react to ransomware attacks. And in Part 4, we will offer our suggestions and predictions as to what the future holds.
Responding to Cyber Crime: Active vs. Passive
“I’m from the government, and I’m here to help.”
Cheekiness aside, there is simply no coordinated response to cybercriminals that does not include action at the state and federal levels. The action can be active – the pursuit of criminal hackers – or passive – creating laws and regulations that incentivize and discourage various behaviors for both organizations and individuals. Active measures often require both political will and political consensus.
And while it might seem like preventing cybercrime would be an easy thing for politicians to agree on, if political action means the appropriation of funds (and it always does), you can be sure there will be a fight on Capitol Hill.
Further, our federal system can mean different government entities regulate us; energy is federally regulated; education and finance may be federal- or state-regulated; utilities are state-regulated. Consequently, while the feds or state can “mandate” some behavior, much of the adoption will be voluntary. Therefore, focusing on cybersecurity methods that minimize resources consumption while maximizing results is the best approach for adoption.
Focusing on cybersecurity methods that minimize resources consumption while maximizing results is the best approach for adoption.
So let us be prudent and move to passive measures. How can government work to help consumers and businesses protect and defend themselves? I would suggest there are three areas: Privacy regulation, a single set of common best practices, and Safe Harbor laws.
Cyberwar Defense: Privacy Regulation
The old adage, “When the service is free; you are the product,” has taken on real meaning in the social media age. You – in the form of your data and information – are being sold every second. As a society, we are generally trusting of our corporations. It is not clear they are worthy of that trust.
Now there is no shortage of regulations governing data and privacy – HIPAA, FERPA, CCPA, DFARS – but these regulations govern how the holder of the data must exercise care of the data they hold. For example, HIPAA regulates the way hospitals and healthcare providers manage the health information of their patients or customers.
With few exceptions, these regulations do not focus on empowering people or organizations to manage their data more proactively. In Europe, the GDPR takes a more consumer-centric approach and offers consumers a broad set of rights to restrict the use of their data. While the CCPA and other state privacy laws allow consumers to control the use of their information, these laws are not extensive and represent several different, hence confusing, requirements.
Further, consumers have repeatedly shown they will opt for privacy given a choice. Unfortunately, many consumers do not make (or have the opportunity to make) an educated choice. Instead, they click through to accept the privacy terms. Because of this, companies should have to request approval from consumers annually, with clear language describing how they use consumer data.
Finally, it is unclear that making a distinction between personal data and general confidential data (such as IP) makes sense in the world in which we live. It is tempting to say there is a difference between stealing a social security number and the theft of IP or secret military technology. Yet, it is past time to broaden existing consumer rights and extend those rights to all legal entities that put data in the care of a third party.
In summary, the federal and state governments should move to take two actions:
- Coordinate and adapt consistent, consumer rights-focused legislation to give consumers easier ways to manage their data. This law should include a sunset provision on all assents to privacy policies.
- Provide corporations and other entities similar rights as consumers.
Cybersecurity improves when there is less data to steal. Our default approach is to let the market drive positive behavior (or punish bad behavior). But we are in a situation where one of the best things we can do right now is to restrict what data is available in a reasonable way. The less data available to access means there is less data to steal.
Cybersecurity improves when there is less data to steal.
Cyberwar Defense: A Common Set of Best Practices
Much of the industry efforts around developing a sound information security poster discussed in the last post related to the idea of “best practices.” While laudable, the reality is that many SMBs and middle-market companies struggle to understand if and how “best practices” make them compliant with the alphabet soup of data, privacy, and other regulations with which they must comply. The bigger “threat” in their minds is the threat from government action for non-compliance than a cyber threat from hackers.
Also, which best practices should you follow? NIST? If NIST, which one? ISO? How much of that work will be applicable when your customer demands SOC2? The truth is that the standards are very similar overall, but the devil is in the details. This is especially true if your contract or regulatory compliance depends on it. That is not to say that there should be a “one size fits all” standard for information security. Instead, articulating an international, foundational “best practice” for all while allowing for information security maturation and specialization for industries, such as healthcare, payment cards, or education, would produce a much clearer path to security for companies.
Articulating an international, foundational “best practice” for all while allowing for information security maturation and specialization for industries, such as healthcare, payment cards, or education, would produce a much clearer path to security for companies.
Note: Many benefits of these actions will fall to middle-market ($50M – $1B annually) and SMB (<$50M annually). Companies of that size often do not have the resources to figure out the interrelationship between multiple standards and government regulations. Most large enterprises have the resources and expertise to do so. But with hackers going after smaller fish (or going after big fish through their smaller vendors), the middle and SMB market is in dire need of help.
- Develop a foundation set of “best practices” that are consistent and effective.
- Develop a clear “maturity model” to allow for enhanced security postures. The model being attempted with CMMC is a good example.
- Develop clear specializations that build on, rather than overlap, the best practices maturity model.
- Provide clear guidance as to how this best-practices approach helps companies meet their regulatory obligations.
Cyberwar Defense: Safe Harbor Laws
A company can do everything right and still suffer a breach. In that event, it’s a free-for-all for lawyers and regulators. Thankfully, some states are taking a different approach. Connecticut, Ohio, and Utah have passed “safe harbor” laws that protect companies from tort claims if the companies can demonstrate compliance with a recognized standard, such as ISO 27001 or NIST 800-171. According to Inc Magazine, 60% of small businesses fail within a year after a breach. Safe Harbor provisions offer some level of relief of the burden of lawsuits, which is a tremendous incentive to comply with ISO or NIST.
Safe Harbor provisions offer some level of relief of the burden of lawsuits, which is a tremendous incentive to comply with ISO or NIST.
At the federal level, the Federal Sentencing Guidelines for Organizations have long recognized that offering a compliance program to detect criminal conduct is a way to reduce an organization’s “culpability score.” Similarly, there are efforts underway to apply both safe harbor principles and FSGO to security practices. In January, the president signed an amendment to the HITECH Act that allows for mitigation of fines for covered entities and business associates which follow recognized security practices, such as NIST or ISO. This approach needs to be extended as fully as possible across industries.
In January, the president signed an amendment to the HITECH Act that allows for mitigation of fines for covered entities and business associates which follow recognized security practices, such as NIST or ISO. This approach needs to be extended as fully as possible across industries.
Of course, public entities – state and federal – have a very different disincentive structure. If a school or other government entity gets breached, the financial burden gets passed along to the taxpayers. Unlike private companies – whose very existence may be threatened – government entities will carry on. There is no easy answer to this issue. A reasonable scheme to either incent or creature meaningful disincentives for public sector employees responsible for consumer or other data to conform with standards needs to be in place.
Coming Up Next
In the next part of this series, we will discuss what those foundational best practices may look like and how SMBs and middle-market companies can ensure they are doing all they can to prevent breaches without breaking their budgets.
Looking to enhance your information security program and wondering which resources you need and whether (or not) you need a fulltime CISO? Start with our blog post: To CISO or Not to CISO.
EXTEND Resources helps organizations like yours secure their assets, create a robust security program, become certified for information security compliance, and continually improve their program to protect against evolving threats — including law firm and vendor risk. Contact us to learn more.
Steve Henn
shenn@extendresources.com
203.803.2127